malwarewikiaorg-20200223-history
Sonic Gather Battle
Sonic Gather Battle is a Sonic The Hedgehog fan game on Microsoft Windows made by Leemena-dan that contains a trojan. Not all of its effects are currently known, but it contains DRM that does malicious things to afflicted computers and makes the game itself unplayable. The game's creator apparently put the malicious code into the game to prevent people from ripping sprites from it, despite his attempts, these sprites were ripped and sent to the internet. A 2014 version of the game was stated to have no malicious content, however, the game still needed administrative privileges to run. However, it only creates a UCF-10 log file in the drivers folder. The game itself is a fighting game, running off the Little Fighter 2 engine. It originally existed under the name SONICvsLF2, and had no malicious effects at this point in time. SONICvsLF2 in its original state was canceled after sprites were ripped from it, but it was later revived under the name Sonic Gather Battle. The game was discovered to have malicious effects in December 2017, though it may have had this behavior all the way back in 2016 without it being discovered. Payload The game requires administrative permissions to run, which is unusual for a fan-made game. These permissions are apparently required to fix a crash at the game's loading screen, as well as edit the Windows Registry, although many still find this suspicious due to the game's other behaviors. If not on internet, it will not run (According to a YouTube commenter's own experience, and it seems to be true because of the following procedure). When installed, the game will secretly open whatsmyip.org to then send the IP to a server that the game is connected to, which the creator can use to remotely disable the game. It also checks your google history, and also, the game will create a file called "b.dll", read it, and then immediately delete it, though the game's creator claims that this does not happen. It also edits the computer's registry and some small files, which the game's creator claims is "not completely done by the game" and at least partially is Windows automatically storing information. The game also apparently has an API call for raw hard disk access, which is currently believed to be used to detect if things such as hex editors or cheat engines are installed to the computer. The developer claims that the game doesn't scan installed files or registry keys. This information, however, hasn't been confirmed to be true or false. When played without the DRM being activated, the game acts fairly normal, except, of course, for the fact that it tracks browser data and has edited the computer's files. The game's DRM can be activated by running a cheat engine or having one installed, typing the game's name followed by "cheat", "hack", or "mod" into a search engine, editing its files, or possibly just from a bug. This is done by checking the names of windows, and it will automatically close any window that happens to contain keywords such as "cheat" or "hack". The creator has apparently updated the game to close the game itself rather than the browser, though the reading of other window titles is still considered intrusive. There are two effects that the DRM can have on the game itself. The first turns the game's background blue, the tiles black, plays Fakery Way, and adds near-invincible red Hyudoros, effectively making the game unplayable. The second, which is triggered by trying to uninstall the game with the red ghost "protection" already activated, opening cheat engine, and others, changes the game's background color palette to be a mix of red and black, makes eyes appear on the screen, applies a red grit effect to the screen, disables the ability to pause the game, and changes the music to the Sonic CD boss theme (US version), with the invincible ghost enemies still appearing, but with a different appearance and in larger numbers. If the game is uninstalled and reinstalled at this point, these effects will continue to happen due to the game checking the server. The effects can apparently be deactivated by contacting the game's creator for him to whitelist the computer himself via the server the game is connected to. The creator will only whitelist the computer once the user proves they are innocent and not trying to hack the game. The game is no longer playable normally or installable, as the developer has no longer made it available to download, as well as manually disabled the game for everyone who had it installed. However, it was said that the game has been reactivated after an update on December 14. The game itself does not run on many virtual machines/emulators, although it is not proven if it does not work on all virtual machines. A re-uploaded version of the game was uploaded by an unknown person: [WARNING,THIS WIKI BARES NO RESPONSIBILITY IF YOUR PC IS DAMAGED FROM THIS. Media Is this supposed to happen in the game? Sonic gather battle Video demonstrating Sonic Gather Battle's DRM and web browser tracking. - Sonic Gather Battle File:Sonic Gather Battle Stage 2 - Ghost Infused References *http://sonicfangameshq.com/SGB.txt es:Sonic Gather Battle Category:Trojan Category:Malicious Games Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Malware Category:Virus Category:Win32 virus